AWX schema - add extraction script and weekly update workflow

[himdel]

Issue: AAP-75301

Adds automated AWX schema extraction:

• Updated tools/docker/latest.sql to current awx devel (6d665dda33), stripping pg-version-dependent output (version comments, named NOT NULL constraints, pg18 directives) for stable diffs
  • most of the diff is newline normalization
  • New *_old text columns from migration 0185 (text-to-jsonb) - None of these fields are used by metrics-utility.
  • Last updated in Update CI sql schema #300, created in [AAP-38819] - Setting up pytest + S3 (Minio) + example test #71
• Local extraction script (tools/docker/extract-awx-schema.sh) that uses our compose postgres + uv, no awx containers needed, just a local ../awx checkout
• Weekly GitHub Actions workflow that runs AWX migrations, extracts the schema, and opens a PR if it changed (using peter-evans/create-pull-request)
• Updated docs/awx.md with script reference

Summary by CodeRabbit

• New Features

  • Added an automated way to keep the checked-in AWX schema dump up to date.
  • Added a local schema extraction script that generates a normalized schema file from an AWX checkout.

• Documentation

  • Updated schema extraction instructions to include the new automated workflow and a simpler local command path.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a Bash script for extracting an AWX schema dump, updates the extraction docs, and adds a scheduled/manual GitHub Actions workflow that refreshes tools/docker/latest.sql and opens a pull request when it changes.

Changes

AWX schema refresh automation

Layer / File(s)	Summary
CLI checks and docs tools/docker/extract-awx-schema.sh, docs/awx.md	Adds script argument parsing, AWX checkout validation, devel branch and sync checks, and updated extraction instructions for the automated path.
Compose Postgres and temp env tools/docker/extract-awx-schema.sh	Starts the Compose PostgreSQL service, waits for readiness, creates a temporary uv environment, installs filtered AWX requirements, and writes the Django database override.
Migrate and dump schema tools/docker/extract-awx-schema.sh	Drops and recreates the awx database, runs awx-manage migrate, and writes a normalized schema-only dump to tools/docker/latest.sql with completion output.
Workflow bootstrap .github/workflows/awx-schema.yml	Defines the scheduled and manual update-schema job, checks out this repo and ansible/awx, installs uv and Python from pyproject.toml, and provisions PostgreSQL plus the awx role and database.
Workflow diff and PR .github/workflows/awx-schema.yml	Runs AWX migrations and the schema dump in GitHub Actions, stores AWX_SHA, compares tools/docker/latest.sql against the repo, and opens a pull request when the file changes.

Sequence Diagram(s)

sequenceDiagram
  participant GHA as GitHub Actions
  participant AWX as ansible/awx devel checkout
  participant PG as PostgreSQL
  participant Migrate as awx-manage migrate
  participant Dump as pg_dump
  participant PR as peter-evans/create-pull-request

  GHA->>AWX: check out devel
  GHA->>PG: create awx role and awx database
  GHA->>Migrate: run migrations
  Migrate->>PG: apply schema changes
  GHA->>Dump: pg_dump -s
  Dump-->>GHA: tools/docker/latest.sql
  GHA->>PR: open PR when git diff changes

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description covers the change but omits required template sections like Testing, Required Actions, and stakeholder coordination.	Add the missing template sections, including reproducible testing steps, expected results, required actions, and any downstream stakeholder coordination.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: AWX schema extraction plus a weekly update workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

This PR has been automatically linked to AAP-75301 in Jira.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/awx-schema.yml:
- Around line 12-24: The awx-schema workflow runs untrusted ansible/awx@devel
steps while the job already has write-scoped permissions, so split the workflow
into a read-only job for checkout/extraction/migrations and a separate follow-up
job that only opens the PR with write access. In the current job, harden both
actions/checkout usages in the awx-schema workflow by setting
persist-credentials to false so the checked-out repository cannot reuse the
token. Use the existing checkout steps and the PR-creation logic as the key
symbols to relocate permissions cleanly.

In `@tools/docker/extract-awx-schema.sh`:
- Around line 58-60: The postgres readiness loop in the schema extraction script
can hang indefinitely and uses docker compose exec without disabling TTY, which
is brittle in non-interactive shells. Update the wait logic around the
pg_isready call to use docker compose exec with -T, and add a bounded timeout or
retry limit so the script exits deterministically if postgres never becomes
ready.
- Line 69: The requirements filtering in extract-awx-schema.sh can stop the
script under set -e when grep -v finds no uwsgi== match. Update the filtering
step to use a non-failing approach such as sed in place of the current grep -v,
or explicitly handle grep’s no-match exit so the script continues. Keep the fix
localized to the requirements.txt-to-awx-requirements-filtered.txt
transformation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: bb61c915-638e-4a24-91ab-cfca8c870fc8

📥 Commits

Reviewing files that changed from the base of the PR and between b73d38a and a4b85ca.

📒 Files selected for processing (4)

• .github/workflows/awx-schema.yml
• docs/awx.md
• tools/docker/extract-awx-schema.sh
• tools/docker/latest.sql

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Untrusted AWX code executes with a write-scoped repo token

This job grants write permissions before running ansible/awx@devel code (pip install -e . and awx-manage), so an upstream compromise could use GITHUB_TOKEN to write to this repo. Also, both checkouts persist credentials by default.

Use a two-job design: run extraction/migrations in a read-only job, then open PR in a separate write-permission job; and set persist-credentials: false on both checkout steps as immediate hardening.

Also applies to: 54-87

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[warning] 19-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/awx-schema.yml around lines 12 - 24, The awx-schema
workflow runs untrusted ansible/awx@devel steps while the job already has
write-scoped permissions, so split the workflow into a read-only job for
checkout/extraction/migrations and a separate follow-up job that only opens the
PR with write access. In the current job, harden both actions/checkout usages in
the awx-schema workflow by setting persist-credentials to false so the
checked-out repository cannot reuse the token. Use the existing checkout steps
and the PR-creation logic as the key symbols to relocate permissions cleanly.

Source: Linters/SAST tools

[coderabbitai]

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Bound the postgres wait loop and disable TTY allocation

Line 58 can hang forever if readiness never succeeds, and docker compose exec without -T is brittle in non-interactive shells. Add -T plus a timeout/retry budget so failures surface deterministically.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/docker/extract-awx-schema.sh` around lines 58 - 60, The postgres
readiness loop in the schema extraction script can hang indefinitely and uses
docker compose exec without disabling TTY, which is brittle in non-interactive
shells. Update the wait logic around the pg_isready call to use docker compose
exec with -T, and add a bounded timeout or retry limit so the script exits
deterministically if postgres never becomes ready.

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

grep -v can abort the script under set -e

At Line 69, if uwsgi== is no longer present, grep -v exits with status 1 and the script stops. Use a non-failing filter (sed '/^uwsgi==/d') or handle the no-match exit explicitly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/docker/extract-awx-schema.sh` at line 69, The requirements filtering in
extract-awx-schema.sh can stop the script under set -e when grep -v finds no
uwsgi== match. Update the filtering step to use a non-failing approach such as
sed in place of the current grep -v, or explicitly handle grep’s no-match exit
so the script continues. Keep the fix localized to the
requirements.txt-to-awx-requirements-filtered.txt transformation.